GHSA-HMR5-2XCR-V8PP Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering

Description Symfony's profiler, a development only debug UI, renders source-code excerpts on several pages using Twig's custom fileexcerpt filter. This filter renders PHP files via highlightstring which escapes HTML, but renders non-PHP files by splitting on \n and interpolating each line directl...

CVE-2026-34036

Dolibarr 22.0.4 and earlier contains a Local File Inclusion (LFI) in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic in restrictedArea(), an authenticated user with no special privileges can read arbitrary non-PHP files...

GHSA-2MFJ-R695-5H9R Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php

Authenticated Local File Inclusion LFI via selectobject.php leading to sensitive data disclosure Target Dolibarr Core Tested on version 22.0.4 Summary A Local File Inclusion LFI vulnerability has been discovered in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc...